CoronawareSecurity
(Sub)domains Report 2020
bit-sentinel.com
P r e p a r e d b y :
bit-sentinel.com
Ta b l e o f c o nte nt s
Intro
Summary stats
Evolution of (sub)domains registered over time
Top 15 TLDs
Top 15 ASNs
Top 15 Countries
Top 15 Servers
Top 15 Words used
What others did
Conclusions
Your Safety is OUR Business
1
bit-sentinel.com
I nt ro
Like in all industries, keeping up with trends is an
important factor in gaining an edge and being one step
ahead. Cybersecurity is no exception, attackers being
well known early adopters and innovators.
Thus, our team at Bit Sentinel has been actively
monitoring newly registered domains and subdomains
containing keywords such as ‘corona’ or ‘covid’.
During this period we observed a surge in (sub)domains
registered containing said watched keywords.
In the following pages we will take you through our
observations and through what we’ve discovered when
analysing the numbers and information.
2
bit-sentinel.com
S u m m a r y s tat s
Starting from the beginning of the year to the moment of writing this we have
observed:
Ø close to 170,000 new (sub)domains, 80% being still up and running.
Ø around 14,700 (sub)domains redirect to other 4,000 (sub)domains.
Stats related to IPs hosting said (sub)domains:*
Ø 9,600 IPs are known for Forum and Email Spamming.
Ø 40 IPs are known for Services Bruteforce Attacks(such as SSH or FTP)
Ø 11,500 IPs are known for being used as Command & Conquer Servers.
Ø 24,200 IPs are known for hosting Illegal Pharmacy Websites.
Ø 14,300 IPs are known for Ransomware Attacks.
Ø 42,200 IPs are known for running Ads or Tracking Services.
Ø 75,100 IPs are known for Phishing Attacks.
Ø 11,400 IPs are known for distributing Warez content.
Ø 40,000 IPs are known for Cryptojacking Attacks.
Ø 10 IPs are known for being Bitcoin Nodes.
Ø 72,900 IPs are known for distributing Malware.
Ø 5 IPs are known for being Tor Nodes.
Ø 20 IPs are known for Login Brute Force Attacks against Popular Web Platforms(such as Wordpress, Joomla and others)
Ø 20.000 domains run Google AdSense ads or Google Analytics.
Ø 70 IPs are known for Web Exploiting Attacks.
Ø 16.000 domains are parked.
Let’s go a bit deeper into these numbers, shall we?
3
bit-sentinel.com
Ev o l u t i o n o f ( s u b ) d o m a i n s re g i s te re d o ve r t i m e
We can see that:
Ø At the end of January around 100 new (sub)domains were spawning daily into the wildness of the Internet.
Ø At the end of February the daily count was around 500.
Ø During March to the beginning of April the count rose almost tenfold to around 3000 daily.
Ø Slowly descending afterwards during May to around 1000 daily.
Ø Further descending to the small hundreds during Junewith a spike of around 4000 mid June.
4
bit-sentinel.com
To p 1 5 T L D s
We can see that the top TLDs features the following:
Ø First place is occupied by .org
Ø Closely followed by .uk
Ø On the third place being .net
5
bit-sentinel.com
To p 1 5 A S N s
From the ASNs we can find out what web hosting
solutions were used. And we discovered that:
Ø Almost half of the (sub)domains are hosted on
GoDaddy
Ø Other popular solutions: Google, Amazon,
Namecheap, OVH or Digitalocean
Ø The good thing: 9% of the (sub)domains are behind a
Cloudflare firewall
6
bit-sentinel.com
To p 1 5 C o u nt r i e s
The top location of the servers hosting the (sub)domains
is:
Ø USA: 7 out of 10 (sub)domains are hosted in the US
Ø Germany is on the second position
Ø followed by Canada on the third position
7
bit-sentinel.com
To p 1 5 S e r ve rs
The top 4 most popular server choices, remain the same as
world widely reported by w3tech:
Ø Microsoft IIS
Ø Apache
Ø Nginx
Ø Cloudflare
8
bit-sentinel.com
To p 1 5 Wo rd s u s e d
The most used term is:
Ø COVID-19,
Ø closely followed by ‘have’ and ‘not’, a verb and negation
mostly used for calls to actions and for precautions (things
NOT to be done).
9
bit-sentinel.com
W h at o t h e rs d i d
Namecheap's CEO,
Richard Kirkendall sent
an email to all
registered users
informing them that
registering domains
containing keywords
such as coronavirus,
COVID or vaccine
would no longer be
possible, unless having
a legitimate reason
which would be
manually reviewed by
their customer support.
10
bit-sentinel.com
C o n c l u s i o n s
Despite the huge spike in new (sub)domains, malicious
(sub)domains were promptly dealt with which is a good thing. Yet, as
old ones were taken down, new ones were taking their place as in a
game of whack-a-mole.
The Namecheap initiative on banning coronavirus related domains
also helped in discouraging malicious actors in registering their
domains.
As always, we have a couple of practical advices for you:
1. Don’t enter suspicious URLs
2. Always double check the domain address and make sure is the
correct one: hackers are creating very similar URL’s to the
original to make the website sound legit
3. If you need to access a website you don’t trust, first scan it on a
well known solution, such as VirusTotal and open it in a
controlled safe environment such as a Virtual Machine and don’t
entrust sensitive information to it
S o u rc e s a n d re s o u rc e s :ü urlscan.ioü iplists.firehol.orgü in house url scanners
Feed (sub)domains: certstream
11
*(!) Disclaimer: The IPs hosting said (sub)domains may be used as servers running Shared Web Hosting Services or may have been used in the past for malicious activities, now being clean, thus at the moment of publishing this, the numbers may not be as accurate.
About us_We help companies discover, prioritize, and effectively remediate potential cybersecurity risks. Bit Sentinel is an information security company that aims to protect businesses against cyber threats by offering a variety of services like:
We assist companies to interpret, prioritize, and act on threat data to ensure business continuity and peace of mind.
Penetration testing
We routinely assess security controls and implement proactive measures to ensure our clients’ setup stays resilient and compliant.
Managed securityBlockchain security
We perform external security audits for token sale and smart contracts, exchange platforms, token trackers and more.
We help you understand and improve how your company reacts to the exploitation of human beings across departments.
We thoroughly review current policies and procedures, working with each client to improve internal & external processes and minimize cyber risks.
We intervene promptly to apply disaster recovery plans, identify points of failure, clean up malicious code, and harden security to prevent subsequent attacks and fraud.
Incident response
Security trainingCybersecurity consultancy
Contact info_Bit [email protected]
Let’s have a talk!